Redundancies for reconstruction in mass data storage systems

ABSTRACT

A mass data storage system includes a redundancy manager that uses a physical position map to select a subset of storage resources having a physical distribution satisfying at least one resource distribution rule. The physical position map identifies physical positions of storage resources relative to a number of power supply units. A read/write manager writes data redundancies to select storage resources of the selected subset to provide a predetermined level of data protection that allows for reconstruction of lost data in a number of diverse circumstances.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims benefit of priority to U.S. Provisional Patent Application No. 62/012,205 entitled “Off-line/On-line Mass Data Storage Management” and filed on Jun. 13, 2014, and also claims benefit of priority to U.S. Provisional Patent Application No. 62/012,219 entitled “Off-line/On-line Mass Data Storage System” and filed on Jun. 13, 2014. Both of these applications are specifically incorporated by reference for all that they disclose or teach.

SUMMARY

Implementations disclosed herein provide data management techniques for creating data redundancies in a mass data storage system and using the data redundancies to reconstruct data in a variety of circumstances. According to one implementation, a system includes a physical position map that identifies physical positions of a plurality of storage resources relative to a number of power supply units. An online/off-line monitor detects a failed storage resource of the plurality of storage resources and a redundancy manager identifies a subset of the storage resources storing data redundancies based on the physical position map and restores data of the failed storage resource from at least one storage resource of the identified subset powered by a different power supply unit than the failed storage resource.

This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. These and various other features and advantages will be apparent from a reading of the following Detailed Description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example mass data storage system that provides data redundancies for reconstruction of both individual storage resources and field replaceable units (FRUs).

FIG. 2 illustrates an example data management scheme for providing data redundancies across FRUs in a mass data storage system.

FIG. 3 illustrates another example data storage scheme for providing data redundancies across FRUs in a mass data storage system.

FIG. 4 illustrates an example control system that provides data redundancies for data reconstruction in a mass data storage system.

FIG. 5 illustrates example operations for providing redundancies for data reconstruction in a mass data storage system.

FIG. 6 illustrates example operations for reconstructing one or more storage resources of a mass data storage system.

DETAILED DESCRIPTION

In a mass data storage system, data redundancies may be included on multiple different storage resources to increase a likelihood of data recovery in the event that one or more individual storage resources or system components fail. However, it can be difficult to predict and manage failures of multiple resources at one time. For example, failure of a power supply or field replaceable unit (FRU), such as a zone board including multiple drives, may temporarily render multiple resources unusable for read and write operations. In some cases, replacing an individual failed storage resource entails temporarily disconnecting and/or replacing a number of resources at once. These and other considerations pose significant challenges in providing guaranteed levels of data protection in mass data storage systems.

The implementations disclosed herein provide techniques for mass data storage that increase a likelihood of successful data reconstruction responsive to a diverse variety of potential contingency circumstances, such as single and multi-point drive and power failures. In one implementation, data redundancies are intentionally spread to different storage resources of a power grid to guarantee a baseline level of data protection in the event of power failure and/or replacement of a FRU.

FIG. 1 illustrates an example mass data storage system 100 that provides data redundancies for reconstruction of both individual storage resources and FRUs. The storage system 100 (e.g., a server cluster or farm) is comprised of a number of storage racks (e.g., storage racks 102, 104) oriented in adjacent or separate physical locations or facilities (e.g., data rooms or centers). The storage system 100 may accommodate any number of storage racks and each rack is located in one of any number of server facilities. The storage system 100 may accommodate any use of mass data storage (e.g., content delivery, backup, archiving, running scientific simulations such as computational fluid dynamics, and rendering computer generated imagery, such as a render farm).

The individual storage racks are interconnected to one another via a computer network 106 (e.g., Ethernet or a custom interconnect network) and may also be connected to one or more external data source(s)/destination(s) 108 via the same computer network 106 or an additional interconnected network (e.g., a local area network or a wide area network, not shown) using a variety of communication protocols including but not limited to (e.g., transmission control protocol/internet protocol (“TCP/IP”), packet over synchronous optical networking/synchronous digital hierarchy (“SONET/SDH”), multiprotocol label switching (“MPLS”), asynchronous transfer mode (“ATM”), Ethernet, Infiniband, and frame relay). As a result, data may be moved between the individual storage racks and the external data source(s)/destination(s) 108 as desired.

Each individual storage rack includes an array of storage media units, also referred to herein as zone boards, (e.g., media units 130, 132, 134, 136). In FIG. 1, the media unit represents an example Field Replaceable Unit (FRU). As used herein, “FRU” generally refers to the smallest component or assembly that can be quickly or easily removed to replace or repair one or more storage resources. Each of the media units is mutually coupled to and controlled by a rack controller (e.g., example rack controllers 118 and 120). The storage rack 102 includes 10 media units controlled by the rack controller 118 and distributed across five power supply units (PWR A, PWR B, PWR C, PWR D, and PWR E) so that each power supply unit is shared by a pair of consecutive media units and a ratio of media units to power supply units is 2:1.

The storage rack 104 includes 9 individual storage media units controlled by a rack controller 120 and distributed across three power supply units (PWR A, PWR B, PWR C) such that a ratio of media units to power supply units is 3:1. In other implementations, some storage racks include greater or fewer individual media units than the depicted 10 and 9 storage media units per storage rack and/or a different distribution of media units powered by each power supply unit. In other implementations, some racks may not include a rack controller and/or an individual rack controller may control multiple racks.

Each of the media units or zone boards (e.g., a media unit 130) includes an array of individual storage drives (e.g., a storage drive 122) controlled by an associated media unit controller (e.g., a media unit controller 126). For example, the media units 132 and 134 each include 8 individual storage drives controlled by a corresponding media unit controller 126 and 128, respectively. The media unit 136 includes 5 individual storage drives (e.g., storage drive 114) controlled by media unit controller 138. In other implementations, individual storage media units may include greater or fewer storage drives than the depicted 8 and 5 storage drives per media unit. In at least one implementation, a media unit includes a single storage drive. In still other implementations, individual storage resources may not be grouped into media units (as shown) and controlled by a shared controller (e.g., the media unit controller 126). Rather, storage resources may be controlled by a single rack controller and/or may include separate, independent processors collectively coupled to one or more rack or chassis controllers.

It may be understood that in FIG. 1, the media unit (e.g., 130) represents an example FRU. In other implementations, the FRU may represent a finer level of granularity—such as an individual disk or drive.

In one implementation, each storage drive is a distinct storage medium or set of storage media with some or all of the read/write control functions of the storage drive removed to the corresponding media unit controller and/or rack controller of the mass data storage system 100. In another implementation, read/write control functions of one or more of the storage drives are retained within the storage drives and are thus not removed to the corresponding media unit controller or rack controller of the mass storage system.

In the mass data storage system 100, each of the individual storage resources may each be assigned to one or more logical zones (e.g., logical zones 140, 142, 144). The individual logical zones are each designed to provide an associated level of data protection to data stored therein. For example, data protection may be provided by a combination of redundancies stored in the logical zone and erasure code, CRC or LDPC applied within the logical zone.

To guarantee high levels of data protection, each logical zone is defined to include storage resources distributed across a power grid according to one or more resource distribution rules. As used herein, a “resource distribution rule” is a rule limiting a physical distribution of one or more storage resources, power supply units, and/or other system components relative to one another. One example resource distribution rule limits possible arrangements of storage resources relative to power supply units. For example, the logical zone 140 is defined to include a distribution of storage resources with no more than two storage resources that share a same power supply unit. In contrast the logical zone 144 is defined to include a distribution of storage resources with no more than three storage resources sharing a same power supply unit. Another example resource distribution rule limits a total number of storage resources in a same logical zone that can be in a same FRU. For example, the logical zone 142 includes no more than one storage resource per media unit.

Assignments of storage resources to the various logical zones may be based on any criteria, and may even be arbitrary provided that each assigned grouping of storage resources satisfies the resource distribution rules specified for the associated logical zone. The storage resources in each individual logical zone may be arranged according to a variety of different possible configurations and may include, for example, one or more vertically adjacent storage resources (e.g., as in the logical zones 140 and 144), diagonally adjacent storage resources (as in the logical zone 142), non-adjacent resources, and/or horizontally adjacent resources.

When data is written to a storage resource in the mass data storage system 100, data redundancies are stored in multiple storage resources in a same logical zone. “Data redundancies” refers to, for example, data that is in addition to user or system data that permits correction of errors in stored or transmitted data. For example, data redundancies may refer to data that is spread across and/or duplicated at a number of different storage locations that can be assembled in one or more ways to reconstruct a cohesive data set. By storing data redundancies in multiple storage locations of a logical zone (e.g., a logical zone 140), data can be physically spread to disparate locations on a power grid (e.g., different FRUs, different power supply units, etc.) so as to optimize data retrieval in the event of failure or one or more media units or power supply units. For example, a failure of the storage resource 122 may result in temporary ejection and/or replacement of the corresponding media unit 132. When the media unit 132 is placed back on-line after a replacement or repair, lost data of the storage resource 122 can be restored from redundant data on other storage resources in the logical zone 140, such as data located in different FRUs and powered by different power supply units.

As mentioned above, a media unit represents one example FRU. However, in other implementations, an FRU may be multiple media units or one or more multi-drive units including characteristics different from the media units described herein. The following description provides an exemplary framework for spreading data redundancies across a power grid to maximize a likelihood of data reconstruction in the event of storage resource failure, power failure, or FRU replacement.

FIG. 2 illustrates an example data management scheme for providing sufficient data redundancies across multiple FRUs in a mass data storage system 200. As used herein, the term “sufficient data redundancies” refers to data redundancies sufficient to fully reconstruct lost data assuming that a total amount of lost data is less than an anticipated worst case failure scenario. In one implementation, the mass data management system 200 provides sufficient data redundancies to reconstruct data on all storage resources powered by the same power supply unit. For example, two media units 236 and 234 powered by the same power supply unit (PWR 1) may be ejected, replaced, and restored without first making hard copies of any data stored on the associated storage drives (e.g., a storage drive 222). The data on all 16 storage drives included in the media units 234 and 236 can be fully restored from system redundancies.

The mass data storage system 200 includes a storage rack 202 including a number of media units (e.g., media units 230, 232) mutually coupled to and controlled by a rack controller 218 (e.g., a compute node). Each media unit (e.g., zone board) includes a media unit controller (e.g., a media unit controller 224) communicatively coupled to an associated nest of storage drives (e.g., via compute nodes, serial attached SCSI (“SAS”) connections, etc.). Further the rack controller 218 is communicatively coupled to the media unit controllers within the corresponding rack 202.

When an individual storage drive fails, the corresponding FRU may be taken off-line to facilitate repair or replacement of components or the entire FRU. Where a storage drive is “off-line,” data cannot be written to or read from the storage drive. For example, all storage drives in the media unit 236 may become unavailable for read and write operations if the storage drive 222 fails and the media unit 236 is taken off-line to facilitate repair or component replacement. In some implementations, the entire media unit 236 is replaced when a single drive within the media unit fails. In other implementations, individual drives within the media unit 236 can be independently replaced or repaired.

In the mass data storage system 200, the media units are each powered by a respective power supply unit (e.g., power sources denoted PWR 0-PWR M). A distribution of media units to power supply units varies in different implementations; however, in FIG. 2, a ratio of media units to power supply units is 2:1 so that each power supply unit is shared by a pair of physically adjacent media units. In other implementations, the ratio of media units to power supply units is any ratio supporting applicable data protection rules for an associated physical or logical area of the mass data storage system, such as, for example, 5:1, 10:1, etc.

A “physical position matrix” defines a physical orientation of storage resources and power resources in the mass storage system 200 relative to one another. For example, physical positions of the storage resources and power supply units can be defined by a physical position matrix of the form [PowerUnit_((i)), MediaUnit_((j)), Position_((k))], where ‘i’ is an index of the power supply unit (e.g., 0, 1, 2, . . . M); ‘j’ is an index of a media unit corresponding to each power supply unit (e.g., 0 or 1 in the implementation shown); and ‘k’ is a drive index position of each storage drive within a single associated media unit (e.g., positions 0-7 in each media unit including 8 storage drives). Using this notation, each storage drive in the mass storage system occupies a unique index corresponding to a specific power supply unit. For example, the storage drive 222 is described by the position [1, 0, 1] (e.g., power supply unit=PWR 1, media unit=0, and drive index=1).

The above-described notation is just one of many suitable formats for describing a physical layout of storage drives and power resources within a mass storage system. A single position matrix may be used to described positions of power supply units and storage resources in a single rack (as shown) and/or across multiple racks including those in different physical storage locations. In some implementations, a physical position matrix is used to described power and storage resources distributed across a portion of a rack rather than an entire rack.

Each unique index of the physical position matrix can be further associated with a sub-matrix defining a “logical zone.” For example, logical zones 212, 214, and 216 are each defined by sub-matrices indicated by dotted lines. The logical zones 212, 214, and 216 each include storage resources distributed in a manner that satisfies one or more resource distribution rules applied to the respective logical zone. In one implementation, all logical zones apply the same resource distribution rules. In another implementation, different logical zones apply different resource distribution rules.

According to one implementation, one or more of the logical zones apply a resource distribution rule specifying maximum number of storage resources in each zone that may be powered by a same power supply unit. For example, each of the logical zones 212, 214, and 216 group together storage resources distributed such that no singular power supply unit (e.g., PWR 0-PWR M) supplies power to more than two storage resources in a same logical zone.

In another implementation, one or more logical zones apply a resource distribution rule specifying a maximum number of storage resources per logical zone that can belong to a same FRU. For example, the logical zone 216 imposes a resource distribution rule allowing up to two storage drives of a same FRU to be in the same logical zone, while the logical zone 212 imposes a resource distribution rule mandating that each storage drive of a same FRU is in a different logical zone.

For simplicity, each of the logical zones 212, 214, and 216 is shown to include storage resources arranged in vertical columns. Provided that each logical zone satisfies any applicable resource distribution rules, the storage resources in each logical zone can be arranged in a number of different possible configurations (e.g., diagonally adjacent storage resources, horizontally-adjacent storage resources, non-adjacent storage resources, etc.). Logical zones may span more than one rack (e.g., the rack 202) and may include storage resources in more than one facility.

Some storage drives in the storage system 200 may not be initially assigned to a logical zone. Instead, these storage drives can be used as “spares” that can be elastically added to and/or removed from one or more of the existing logical zones. Other storage resources may be assigned to more than one logical zone. In some implementations, the rack controller 218 or other compute node may “re-zone” the logical resources dynamically to allow for redistribution of the storage resources to different logical zones.

When incoming data is written to a particular logical zone in the storage system 200, redundancies of the data are written to multiple storage locations within the same logical zone. For example, data directed to a storage drive 222 is redundantly written (e.g., creating data redundancies, as defined above) to storage drives within the logical zone 212, such as different FRUs powered by different power supply units. In the illustrated example, data directed to the storage drive 222 is redundantly written to storage drives defined by the physical matrix positions [0, 1, 1], [2, 0, 1], [2, 1, 1], and [3, 1, 1], as indicated by the solid-filed dots within the logical zone 212.

When data of a write command arrives at the rack controller 218, the rack controller 218 first determines a target logical zone for the data. For example, the data may be addressed to a particular logical zone or the rack controller 218 may assign the data to a logical zone based on a variety of considerations such as a level of data protection specified by a user (e.g., a user's subscription plan to the mass storage system 200), a type of data, availability of various resources, etc.

Based on the determined target logical zone, the rack controller 218 further determines a number of storage resources in the target logical zone to receive the data (e.g., redundant data) of the write command. In one implementation, each logical zone is associated with a degree of data protection provided to resources located therein. For example, the logical zone 212 may apply redundancies providing a first degree of data protection to data stored therein while the logical zone 214 may apply redundancies providing a second different degree of data protection to data stored therein. Thus, the target logical zone may dictate the number of resources on which data redundancies are included.

After determining the number of storage resources to receive the data redundancies, the rack controller 218 selects specific storage resources within the target logical zone to receive the data. Selection of storage resources may be based on a variety of factors including some not discussed above, such as available storage capacity of each resource, power constraints restricting usage of certain resources, etc.

After selecting storage resources to receive data of a write operation, the rack controller 218 writes data redundancies of the incoming data to the selected storage resources within the target logical zone.

In addition to writing the data redundancies, the rack controller 218 (or other compute node) creates metadata including logical and physical components describing the data redundancies. A logical metadata component may include, for example, a unit ID of each storage drive storing a portion of the data redundancies and/or a world wide unique ID of the associated media unit. The unit ID is an identifier of a storage resource that is used when reading or writing data to the storage resource. In contrast, a physical metadata component may include, for example, indices of the physical position matrix indicating where the data redundancies are physically stored (e.g., in relation to one another, various FRUs, and various power supply units of the mass data storage system). In one implementation, a physical metadata component for data includes a world-wide unique identifier of a media unit (e.g., zone board).

In various implementations, the metadata can be stored in different locations, such as with the data redundancies and/or in one or more other storage locations accessible by one or more media unit controller(s) or rack controller(s).

In the example write of FIG. 2, the rack controller 218 spreads incoming data to redundant storage locations within the logical zone 212 indicated by the solid-filled dots. As used herein, the term “redundant storage locations” refers to locations storing corresponding data redundancies. In addition, the rack controller 218 or other compute node creates metadata indicating the logical and physical positions where the data redundancies are stored. For example, the metadata indicates that the data redundancies are stored at the following positions of the physical position matrix: [0, 1, 1], [1, 0, 1], [2, 0, 1], [2, 1, 1], and [3, 1, 1]. In the event that a storage drive fails at any of these positions, the storage system 200 can rebuild lost data on the failed drive using the redundant data stored within the same logical zone.

If, for example, a storage drive 222 at position [1, 0, 1] fails, the associated FRU (e.g., media unit 236) may be taken offline to facilitate replacement of the storage drive 222. When the FRU is returned to an on-line state (e.g., a state where data may be read from and written to the FRU), the new storage drive at position [1, 0, 1] can be restored to a pre-failure state using the other data redundancies by the positions [0, 1, 1], [2, 0, 1], [2, 1, 1], and [3, 1, 1].

The above-described data distribution scheme guarantees a data distribution across multiple FRUs. Therefore, if data of the storage drive 222 is updated while the media unit 236 is off-line, the updated data is not lost. Rather, the update is written into the redundancies of other FRUs on the system within the same logical zone. These other FRUs can then be subsequently used to restore the storage drive 222 once the media unit 236 is back online.

FIG. 3 illustrates another example data storage scheme for providing data redundancies across multiple FRUs in a mass data storage system 300. The mass data storage system 300 includes a storage rack 302 including a number of media units (e.g., media units 330 and 332) mutually coupled to and controlled by a rack controller 318 (e.g., a compute node). Each media unit includes a media unit controller (e.g., a media unit controller 324) communicatively coupled to an associated nest of storage drives. The rack controller 318 is communicatively coupled to the media unit controllers within the corresponding rack 302.

Each storage drive in the mass data storage system 300 has a physical position defined by an index in a physical position matrix relating physical locations of various storage resources, power resources, and FRUs. For example, physical positions of the storage resources and power supply units can be defined by a physical position matrix of the form [PowerUnit_((i)), MediaUnit_((j)), Position_((k))], where ‘i’ is an index of the power supply unit (e.g., 0, 1, 2, . . . M); ‘j’ is an index of a media unit (FRU) corresponding to each power supply unit (e.g., 0 or 1 in the implementation shown); and ‘k’ is a drive array position of each storage drive within a single associated media unit (e.g., positions 0-7 in each media unit including 8 storage drives).

Each position within the physical position matrix may be further associated with one or more logical zones. Each logical zone groups together resources having a distribution satisfying one or more pre-defined resource distribution rules. In one implementation, a power-resource distribution rule specifies a maximum number of storage resources in each zone that may be powered by a same power supply unit. For example, FIG. 3 illustrates example logical zones 304, 306, 308, 310, 312, 314, 316, 318. None of these logical zones include more than two storage resources powered by a same power supply unit.

When data is written to the mass data storage system 300, the data is assigned to a logical zone and written to multiple locations (either in full or part) within the assigned logical zone. For example, the logical zone 304 stores data redundancies in positions of the physical position matrix defined by [0, 0, 0], [1, 1, 0], [3, 0, 0], and [3, 1, 0]; the logical zone 306 stores redundant data in positions of the physical position matrix defined by [0, 1, 1], [1, 0, 1], [2, 0, 1], [2, 1, 1], and [3, 1, 1]; and the logical zone 312 stores data redundancies in positions of the physical position matrix defined by [0, 0, 4], [1, 0, 4], [2, 1, 4], [4, 0, 4], and [4, 1, 4].

If one or more drives in a particular media unit (e.g., media unit 336) fail, the entire media unit may be replaced and restored. Restoration can be performed in a number of different ways depending on variable circumstances of a given failure scenario.

In one implementation, a storage drive replacement is anticipated and data of the drive is physically copied to a “spare” prior to replacing the storage drive. If, for example, the storage drive 322 fails, data of the storage drive 326 may be copied to a spare drive in anticipation of the replacement of the media unit 336, provided that the storage drive 326 is functional and such copy can be made. When the media unit 336 comes back on-line after the replacement, the storage drive 326 can be restored (in full or part) from the spare.

In another implementation, one or more storage drives are restored entirely from redundancies included in a same logical zone. If, for example, the media unit 336 is replaced, each of the 8 storage drives within the media unit 336 can be restored from redundant data stored in the corresponding logical zone (e.g., of the 8 different logical zones 304, 306, 308, 310, 312, 314, 316, and 318). For example, data of the storage drive 322 may be restored from data redundancies in the logical zone 306 on storage drives identified by the positions [0, 1, 1], [2, 0, 1],[2, 1, 1], and [3, 1, 1]. Likewise, data of the storage drive 326 can be restored from data redundancies in the logical zone 312 identified by the positions [0, 0, 4], [2, 1, 4], [4, 0, 4], and [4, 1, 4]. In this manner, data of an entire FRU (e.g., the media unit 336) can be restored from data redundancies distributed across other FRUs in the mass data storage system 300.

In the event of a power supply unit failure, multiple FRUs may go off-line. For example, FRUs 336 and 338 may both go off-line if the power supply unit “PWR 1” fails. While the power supply unit PWR 1 is being repaired and/or replaced, the rack controller 318 may continue to receive write commands to update or modify data stored in the media units 336 and 338. In this scenario, the rack controller 318 may continue writing data redundancies to available storage resources while the media units 336 and 338 are off-line. When power to the failed power supply unit (“PWR 1”) is restored, data of each storage drive in the media units 336 and 338 can be compared to and reconciled with corresponding data redundancies in the redundant storage locations of the corresponding logical zone. For example, data on the storage drive 332 may be compared to and reconciled with data stored on storage drives at the positions [0, 0, 0], [2, 0, 1], [2, 1, 1], and [3, 1, 1].

FIG. 4 illustrates an example control system 416 that provides data redundancies for data reconstruction in a mass data storage system 400. Aspects of the mass data storage system 400 may be contained within a rack controller (e.g., rack controller 118 of FIG. 1) and/or a media unit controller (e.g., media unit controller 126 of FIG. 1) associated with each individual storage drive of the mass data storage system 400. In some implementations, aspects of the storage system 400 may span multiple racks and/or geographic locations.

The control system 416 includes a storage interface 440 that allows the mass data storage system 400 to receive incoming data from external data source(s) from a computer network 406 and send outgoing data to external data destination(s) that may have disparate operating systems operating over one or more computer networks.

The storage interface 440 is communicatively coupled to redundancy manager 404 that manages a physical position map 406 and a logical zone map 408. The physical position map 406 maps physical positions of various storage resources, FRUs, and power supply units in relation to one another. The logical zone map 408 maps groupings of storage resources into various logical zones according to one or more resource distribution rules. For example, one logical zone may apply a resource distribution rule under which an individual power supply unit can power no more than a maximum predetermined number of storage resources in one zone. Another example resource distribution rule specifies that a maximum number of storage resources per logical zone that can belong to a same FRU. A variety of other resource distribution rules are contemplated for use in other implementations. The logical zone map 408 may designate some individual storage resources as “spares” that are not associated with any particular logical zone; other individual storage resources may be assigned to more than one logical zone.

The redundancy manager 404 is communicatively coupled to a read/write manager 412 and the read/write manager 412 is coupled, through a block layer interface 410, to a plurality of storage nodes (e.g., rack controllers, media unit controllers, etc.) within the mass storage system 400. Communication channels may allow for bidirectional data flow between all storage nodes in the mass data storage system 400. For example, the read/write manager 412 may be communicatively coupled to a plurality of different rack controllers; each rack controller may be communicatively coupled to media unit controllers within the corresponding rack; and each of the media unit controllers may be communicatively coupled to an associated nest of internal storage drives.

When the redundancy manager 404 receives a command to write new data to the mass data storage system 400 (e.g., from the computer network 408), the redundancy manager 404 consults the logical zone map 408 to select a logical zone on which to store the incoming data. The redundancy manager 404 may further consult resource distribution rules 416 to determine which storage resources within the selected logical zone to write the data to. The resource distribution rules 416 may specify, for example, a level of data protection associated with each logical zone, one or more rules for distributing data redundancies across different FRUs in a logical zone, one or more rules for distributing data redundancies across storage resources in a logical zone powered by disparate power supply units, etc.

Based on the resource distribution rules, the redundancy manager 404 selects specific storage resources to receive the data redundancies, and the read/write manager 412 writes the data to the selected individual storage resources. When writing the data redundancies, the read/write manager 412 creates metadata to associate with the data redundancies in a memory location. In one implementation, the metadata includes a physical location component and a logical location component. The physical component indicates positions in the physical position map where the data (or a portion of the data) is stored. The logical component indicates logical positions where the data is stored (e.g., a unit ID or logical address of each storage resource). The metadata is stored in a metadata repository 418, which may be stored in and/or distributed across a number of different storage locations in different implementations.

An off-line/on-line monitor 414 monitors a power state of various storage resources in the mass data storage system 400. When a storage resource goes off-line unexpectedly, the on-line/off-line monitor 414 flags the storage resource as potentially ‘down for repair/replacement.’ In some implementations, a storage resource is flagged as ‘down for repair/replacement’ by other mechanisms (e.g., subsystems) of the control system (not shown). For example, a user may hit an “ejection button” that transmits a command to the off-line/on-line monitor 414 to flag a particular FRU as ‘down for repair/replacement.’

The off-line/on-line monitor 414 communicates with a restoration manager 420, and informs the restoration manager 420 when a new (e.g., a replacement) storage resource is first detected on-line. Responsive to communications from the off-line/on-line monitor 414, the restoration manager 420 accesses metadata corresponding to the physical positions of the replaced resource(s) and, from the metadata, determines a location of data redundancies that may be used to restore data of the replaced storage resource(s). The restoration manager 420 then accesses the data redundancies and restores data in the replaced storage resources to reflect a current state of the data redundancies.

In some implementations, restoration of data entails comparison with and reconciliation to data redundancies stored in one or more redundant data locations. For example, a power supply unit failure may temporarily cause one or more storage resources to go off-line. While the storage resources are off-line, data directed to those storage resources may be updated and the updates performed to the data at the redundant data locations. When the off-line resources are returned to an on-line state, the stored data of those resources is no longer current and the restoration manager uses the associated data redundancies to restore the data to a current state of the data redundancies.

In FIG. 4, one or more of the redundancy manager 404, read/write manager 412, on-line/off-line monitor 414, and restoration manager 420, are embodied in software and/or hardware implemented in a tangible computer-readable storage media readable by a computing node within or communicatively coupled to the mass data storage system. The term “tangible computer-readable storage media” includes, but is not limited to, random access memory (“RAM”), ROM, EEPROM, flash memory or other memory technology, CDROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information and which can be accessed by mobile device or computer. In contrast to tangible computer-readable storage media, intangible computer-readable communication signals may embody computer readable instructions, data structures, program modules or other data resident in a modulated data signal, such as a carrier wave or other signal transport mechanism.

FIG. 5 illustrates example operations 500 for providing redundancies for reconstruction of FRUs in a mass data storage system. A first defining operation 505 defines a physical position map (e.g., a matrix) indicating physical positions of a plurality of storage resources relative to power supply units in the mass data storage system. In some implementations, the physical position map also indicates physical positions of the plurality of storage resources relative to one another and/or to different field replaceable units in the mass data storage system.

A selection operation 510 selects a subset of the plurality of storage resources to receive data of a write command. In one implementation, the subset is a logical zone providing a guaranteed level of data protection to data stored therein. The selected subset includes storage resources physically distributed about the system in a manner that satisfies a predetermined physical distribution rule. One example predetermined resource distribution rule limits a number of storage resources that can be in a same logical zone and included in a same FRU. Another example predetermined resource distribution rule limits a number of storage resources that can be in a same logical zone and powered by a same power supply unit.

An identification operation 515 identifies a level of data protection applied to data stored within the selected logical zone and a determination operation 520 determines a minimum number of storage resources that may receive the data (e.g., data redundancies) while maintaining compliance with the identified level of data protection.

A write operation 525 writes the data (e.g., data redundancies) to one or more selected storage resources of the subset, thereby providing the identified level of data protection. In one implementation, the selected storage resources of the subset are selected based on the determination operation 520 and/or one or more other considerations such as resource availability, power constraints, desired storage attributes, etc. A metadata creation operation 530 creates a metadata object indicating the physical and logical locations of the data redundancies. The metadata object is associated in memory with each of the selected storage resources.

FIG. 6 illustrates example operations 600 for reconstructing one or more storage resources of a field replaceable unit in a mass data storage system. A first defining operation 605 defines a physical position map (e.g., a matrix) indicating physical positions of a plurality of storage resources relative to power supply units in the mass data storage system. In some implementations, the physical position map also indicates physical positions of the plurality of storage resources relative to one another and/or to different field replaceable units in the mass data storage system.

A detection operation 610 detects a failed storage resource from among the plurality of storage resources. The term “failed storage resource” may refer to, for example, a storage resource that is intentionally or unintentionally taken off-line for repair or replacement. In some cases, the failed storage resource may be non-functional at the time it is taken off-line. In other cases, the failed storage resources may be fully functional when taken off-line. For example, a functional media unit may be intentionally ejected from the mass storage system to facilitate upgrade or component replacement.

An accessing operation 615 accesses metadata associated with the failed storage resource to identify a subset of the storage resources storing data redundancies for the failed storage resource. In one implementation, the subset includes storage resources powered by different power supply units than one another and/or the failed storage resource. The accessed metadata is saved in association with a physical or logical position of the failed resource. In one implementation, the metadata references positions on the physical position map corresponding to storage resources that store data redundancies for the failed storage resource. In another implementation, the metadata references logical rather than physical positions of storage resources storing the data redundancies for the failed storage resource. In both of these implementations, the metadata may be originally generated as a result of logical zoning of the physical position map based on resource distribution rules. Consequently, the metadata is itself “based on” the physical position map. A restoration operation 620 restores data of the failed storage resource from one or more storage resources of the identified subset.

The implementations of the disclosed technology described herein are implemented as logical steps in one or more computer systems. The logical operations of the presently disclosed technology are implemented (1) as a sequence of processor-implemented steps executing in one or more computer systems and (2) as interconnected machine or circuit modules within one or more computer systems. The implementation is a matter of choice, dependent on the performance requirements of the computer system implementing the disclosed technology. Accordingly, the logical operations making up the embodiments of the disclosed technology described herein are referred to variously as operations, steps, objects, or modules. Furthermore, it should be understood that logical operations may be performed in any order, adding and omitting as desired, unless explicitly claimed otherwise or a specific order is inherently necessitated by the claim language.

The above specification, examples, and data provide a complete description of the structure and use of exemplary embodiments of the disclosed technology. Since many embodiments of the disclosed technology can be made without departing from the spirit and scope of the disclosed technology, the disclosed technology resides in the claims hereinafter appended. Furthermore, structural features of the different embodiments may be combined in yet another embodiment without departing from the recited claims. 

What is claimed is:
 1. A system comprising: a physical position map that defines physical positions of a plurality of storage resources relative to a number of power supply units; an on-line/off-line monitor that detects a failed storage resource of the plurality of storage resources; and a restoration manager executable by one or more processors that identifies a subset of the storage resources storing data redundancies based on the physical position map and restores data of the failed storage resource from at least one other storage resource of the identified subset powered by a different power supply unit than the failed storage resource.
 2. The system of claim 1, wherein the identified subset of the storage resources are distributed between different field replaceable units.
 3. The system of claim 1, wherein the restoration manager identifies the subset of storage resources by accessing metadata corresponding to a physical position of the failed resource.
 4. The system of claim 1, wherein no more than a predetermined number of storage resources of the identified subset share an independent power supply unit.
 5. The system of claim 1, wherein no more than a predetermined number of storage resources of the identified subset are included in a same field replaceable unit.
 6. The system of claim 1, wherein the restoration manager reconciles outdated data of the failed resource with updated data of the at least one storage resource of the identified subset.
 7. The system of claim 1, wherein the restoration manager is configured to restore data of multiple storage resources of a same field replaceable unit responsive to a power supply failure.
 8. A system comprising: a physical position map identifying physical positions of a plurality of storage resources relative to a number of power supply units; a redundancy manager executed by one or more processors that uses the physical position map to define a subset of the storage resources having a physical distribution satisfying at least one resource distribution rule; and a read/write manager executed by one or more processors that writes data redundancies for incoming data to select storage resources of the defined subset to provide a predetermined level of data protection.
 9. The system of claim 8, wherein the at least one resource distribution rule specifies a maximum number of storage resources of the subset sharing an independent power supply unit.
 10. The system claim 8, wherein the at least one resource distribution rule specifies a maximum number of storage resources of the subset included in a same field replaceable unit.
 11. The system of claim 8, wherein the redundancy manager is further configured to: create a metadata object identifying locations of each of the select storage resources of the subset; and save the metadata object in association with the data redundancies.
 12. The system of claim 11, wherein the metadata object references positions of the physical position map corresponding to each of the select storage resources of the subset.
 13. The system of claim 8, wherein the redundancy manager is further configured to: determine a minimum number of the storage resources in the subset on which to store the data redundancies while providing the predetermined level of data protection; and select the storage resources of the subset based on the determination of the minimum number.
 14. A method comprising: generating a physical position map that defines physical positions of a plurality of storage resources relative to a number of power supply units; detecting a failed storage resource; accessing metadata based on the physical position map to identify a subset of the storage resources storing redundant data for the failed storage resource; and restoring data of the failed storage resource from one or more storage resources of the subset.
 15. The method of claim 14, wherein the subset of the storage resources are distributed between different field replaceable units.
 16. The method of claim 14, wherein the storage resources of the subset do not share a power supply unit with the failed storage resource.
 17. The method of claim 14, wherein no more than a predetermined number of storage resources of the subset are included in a same field replaceable unit.
 18. The method of claim 14, wherein no more than a predetermined number of storage resources of the subset share a common power supply unit.
 19. The method of claim 14, wherein the metadata references positions of the physical position map corresponding to locations of stored redundancies for data of the failed storage resource.
 20. The method of claim 14, further comprising: detecting replacement of a field replaceable unit including multiple storage resources of the plurality of storage resources; rebuilding the data of each of the multiple storage resources of the field replaceable unit from a different a subset of storage resources defined by the physical position map, wherein no more than a predetermined number of storage resources of each of the subsets share an independent power source. 